Nobody can answer that question without knowing what your cleanuptext function does. The best kind of general answer I can give is that stored procedures are not a necessity for security, that you should never trust variables without testing and cleaning them thoroughly first, and that moving from SQL to access is probably a move in the right direction.

While that statement may or not be valid, you may still want/need to use stored procedures for increased speed.

Since we don't know exactly what your devloper said, or what his intent was, we don't know if he means: A) "You don't need to use stored procedures to prevent against SQL injection attacks, because the cleanuptext fuunction provides the same level of security," or B) "You don't need to use stored procedures at all." I would be suspicious if he is tryig to say B- it sounds ike he is really saying "I don't know how to code stored procedures."

And I think Steerpike meant "from Access to SQL," not the other way around. :)

What language is he writing in? Words such as drop, select, union etc. are fine; but the function needs to ensure they can only get into 'safe' parts of the SQL. You need to judge your developer by his level of expertise and his experience; if in doubt as another developer to review the cleanuptext function.

That script won't be good enough I'm afraid. Your programmer does not seem to know what he's doing. I suggest you post in the databases forum where you'll get some really good responses along the lines of "How can I sanitise SQL statements in ASP?"

In any case; such a simplistic approach is full of holes; just take the case of: DRDROPOP

Your cleanuptext function will replace it with: DROP

Likewise: XPXP__ etc.

Great ;)

If you can't persuade your programmer to study a little more SQL, then you need to either:

Insist (as a client you always have this right) on him using stored procedures

Hire someone with more SQL experience to come in as a 'database engineer' to patch up the SQL work on the development and hopefully give your programmer a few tips

My suggestion is a bit radical. If you can't trust your programmer to understand safer coding procedures for SQL Server, how can you trust him/her to understand safer coding procedures for anything? There's a lot more at risk than SQL injection attacks. Even something as seemingly simple as form input needs to be properly sanitized before you can risk doing anything with it. Quick example. Is your programmer making sure things like JavaScript commands and other potentially harmful HTML elements are being filtered out before being allowed to be posted in a message? You need to find a competent programmer. Sorry to be so blunt but programmers are a dime a dozen. Good programmers are more expensive, but well worth it.